[tor-dev] (Draft) Proposal 224: Next-Generation Hidden Services in Tor
Nick Mathewson
nickm at alum.mit.edu
Fri Mar 7 16:51:22 UTC 2014
On Wed, Feb 12, 2014 at 9:42 AM, George Kadianakis <desnacked at riseup.net> wrote:
> Nick Mathewson <nickm at torproject.org> writes:
>
>> Hi, all!
>>
>> <snipz>
>>
>> 3.2.3. Legacy formats [LEGACY-INTRODUCE1]
>>
>> When the ESTABLISH_INTRO cell format of [LEGACY_EST_INTRO] is used,
>> INTRODUCE1 cells are of the form:
>>
>> AUTH_KEYID_HASH [20 bytes]
>> ENC_KEYID [8 bytes]
>> Any number of times:
>> EXT_FIELD_TYPE [1 byte]
>> EXT_FIELD_LEN [1 byte]
>> EXT_FIELD [EXTRA_FIELD_LEN bytes]
>> ZERO [1 byte]
>> ENCRYPTED [Up to end of relay payload]
>>
>
> What is this cell format?
I don't understand the question.
> Is this supposed to match the format of the
> legacy INTRODUCE1 from rend-spec.txt?
No. It's supposed to be compatible with it, though, to the extent
that the first bytes of the cell identify the key in use in both
cases.
I've added:
(After checking AUTH_KEYID and ENC_KEYID and finding no match, the
introduction point should check to see whether a legacy hidden service is
running whose PK_ID is the first 20 bytes of AUTH_KEYID. If so, it
behaves as in rend-spec.txt.)
>> Here, AUTH_KEYID_HASH is the hash of the introduction point
>> authentication key used to establish the introduction.
>>
>> Because of limitations in older versions of Tor, the relay payload
>> size for these INTRODUCE1 cells must always be at least 246 bytes, or
>> they will be rejected as invalid.
>>
>> 3.3. Processing an INTRODUCE2 cell at the hidden service. [PROCESS_INTRO2]
>>
>> Upon receiving an INTRODUCE2 cell, the hidden service host checks
>> whether the AUTH_KEYID/AUTH_KEYID_HASH field and the ENC_KEYID fields
>> are as expected, and match the configured authentication and
>> encryption key(s) on that circuit.
>>
>> The service host then checks whether it has received a cell with
>> these contents before. If it has, it silently drops it as a
>> replay. (It must maintain a replay cache for as long as it accepts
>> cells with the same encryption key.)
>>
>
> Hm, which parts of the cell is the HS supposed to save in its replay
> cache? Is it the whole cell?
Yes.
> If it's the whole cell, should we be careful of the malleability of
> AES-CTR, where the IP can tweak a bit of the ciphertext and get past
> the replay cache?
Note that the new encryption mechanism is supposed to be
non-malleable; the MAC is supposed to cover all of the INTRODUCE1
cell.
More information about the tor-dev
mailing list